A site dedicated to my hacks, mods, makes and occasional ramblings.

Main menu

Monthly Archives: September 2014

Considering how popular the iPhone is, there’s always going to be some counterfeits out there. I’ve been out buying various iPhone batteries to build a database of each generation’s characteristics, but one model has eluded me so far: the iPhone 5S. The iPhone 5C’s battery that I bought appears to be genuine (but with its own issues), but none of the iPhone 5S batteries I’ve bought so far (4 of them at the time of writing this blog post) were genuine. All of these fakes look like a genuine battery at first glance, but all of them share a few common traits.

Battery teardown

Label with parameters listed

Other side of label

The fake battery sports the usual iPhone battery information, complete with some dot-matrix printed data and a data-matrix barcode. It’s labeled with a capacity of 1560 mAh and 3.8 volts nominal voltage.

Comparison between real and fake iPhone 5S battery

The connector itself has two points for soldering the connector to provide durability. However, with the fake batteries, they are not soldered down. The two spots on the ends of the connectors are dark with a small point visible inside it (that point is the reinforcement pin on the connector). If this connector is installed in an iPhone, it will probably not come out without either damaging the battery’s connector, or worse, leave the plastic connector piece inside the phone, requiring tweezers to remove.

Connector lifted off with a hobby knife

iPhone 5S and 5C battery pinout

Removing the black protective tape reveals an iPhone 4 battery fuel gauge board. The connector is soldered to this board, with four solder points visible.

iPhone 4 battery PCB with soldered-on flat flex connector

Pulling out the PCB reveals another characteristic of these fake batteries: the positive terminal is cut short, with another metal section being clumsily spot-welded to the stub on the cell.

Note how the battery tab is poorly welded to the PCB.

Battery fuel gauge data

The battery fuel gauge requires proper programming to accurately indicate the battery’s charge status. Because of this, each iPhone battery generation has its own specific configuration.

The fake iPhone battery retains the programming for the iPhone 4’s battery, which is a designed capacity of 1420 mAh, using a bq27541 fuel gauge running version 1.25 firmware. The data inside it is often that of a used/recycled battery as well.

This data can be (partially) read out directly from the iPhone with a tool such as iBackupBot, but more data can be read if the battery is read with another tool. I have the EV2400 from Texas Instruments to read this out on a PC, but this data can be read out with a USB-to-TTL serial port, a logic gate (a logic inverter) and a small MOSFET transistor.

I created a small tool that uses this circuit to interface with the fuel gauge and read out its data. Check it out here.

Using my tool, this is the report for one of these fake batteries. Note how it is identified as an iPhone 4 battery. Don’t be fooled by the calculated state of health. It’s not accurate for this battery as the fuel gauge still thinks it’s still inside an iPhone 4 battery pack.

Battery fuel gauges are the unsung hero of the battery world. There’s more to it than just measuring the voltage on the battery terminals,. These little chips are microcontrollers (tiny computers, essentially) that sit inside the battery pack and keep tabs on the battery’s performance for the life of that battery pack.

Texas Instruments makes battery fuel gauges that are small enough to fit in the circuitry of a cell phone, and one of the most common ones that uses this technology are iPhone batteries. These batteries use a single-wire interface called HDQ (which stands for High-Speed Data Queue). It may sound similar to Dallas Semiconductors’ 1-Wire protocol, but the two are completely different and incompatible with each other.

Protocol details

The HDQ protocol can be emulated with a serial port and a little bit of external circuitry. The protocol can be emulated with a serial port at 57600 baud with 8 data bits, no parity bit and 2 stop bits. Because this is a bi-directional bus, an open-drain configuration is needed. Most TTL serial ports are not open-drain, so some circuitry is required to do this. TI’s application note suggests using a CMOS inverter and an N-channel MOSFET along with a 1 kOhm pull-up resistor, but this can be cut down with a 74HC07 open-drain buffer and pull-up resistor.

[EDIT: June 13, 2015 – Corrected schematic]

The HDQ protocol uses a short pulse to indicate a logic 1, with a longer pulse to indicate a logic 0. The data is sent LSB (least significant byte) first, with a 7-bit address and an eighth bit to indicate if the operation is a read or write (0 is read, 1 is write). If it is a read operation, the fuel gauge will respond with one byte of data. As you might think, this is a very slow means of communication; the typical bus speed is 5-7 kilobits per second, but the actual usable throughput will be less than this.

The hack in this is that the bit timing can be made by sending a specially crafted UART byte that meets the timing specifications. Each bit takes up one byte of UART buffer memory, with 24 bytes being enough to perform an HDQ read (the first 8 bytes are echoed back to the PC and need to be ignored by the software). TI’s application note goes into this with a bit more detail.

Windows HDQ utility

HDQ utility icon, in all its pixelated glory.

I have written a small Windows program that will read out the battery’s main data, identify as a certain iPhone battery model (most iPhone batteries are supported), and save a copy of this data to a text file for safekeeping. This program requires the National Instruments LabWindows/CVI Runtime library to run, since I whipped this program up with the first available IDE on my college PC.

Screenshot of HDQ Utility version 0.96

The source code is not yet available (translation: I’m too ashamed of my programming skills to share it with others); however, a Windows executable is available for download below.

Looking for my HDQ Utility to read out your own batteries? Click here!

UPDATE: Turns out the iPhone 3G and 3GS do have gas gauges! I will add them to my list as I find out more about them.

Each iPhone generation since the iPhone 4 iPhone 3G uses a TI gas gauge and uses the HDQ bus (iOS refers to this as the SWI [single-wire interface]) to communicate with the outside world. For more information about the HDQ protocol, click here.

I’ve noticed that many of the iPhone 5S and 5C batteries that can be purchased online are reusing iPhone 4 circuits, which will cause a significant decrease in gauge accuracy (proper parameters need to be programmed into the gas gauge, and that information is chemistry dependent), and the protection circuits in the iPhone 4 battery PCB will kick into overvoltage protection mode at 4.25 volts, less than the 4.3 volts that the iPhone 5 (and newer) batteries need to charge fully.

Because I have been unable to find a list of information of each battery generation, I’m making one myself. Because nobody else has dug this deep into the fuel gauges that the iPhone uses, I have to get this information experimentally (that is, by buying various batteries from online shops; the iPhone 5S battery has been very difficult to get, besides the fake ones I mentioned earlier).

So far I’m in need of an iPhone 3G (not the 3GS) battery, as well as all iPad batteries (or, if you have my program on hand, what model the battery is intended for, the fuel gauge device (eg. bq27541, bq27545), firmware version and designed capacity.

If anyone has one that reads “FULL ACCESS” in my program, please send it to me! 🙂

iPad (3rd gen)

bq27541

1.35

11560 mAh

Yes (0x36720414)

Notes:

All known iPhone battery models use custom firmware, so not all of the features that the mainstream gas gauge models use are available. For example, none of these gauges will calculate the battery’s State of Health percentage (it is basically the percentage of the battery’s full charge capacity (it degrades with use) versus its designed capacity.

The iPhone 5C’s battery label indicates a designed capacity of 1510 mAh, but the battery I’ve received indicates a capacity of 1550 mAh. As I have only been able to get one of these batteries that seem to be genuine, I will need to get more batteries of this type to confirm that this information is correct.

The iPhone 5’s battery label indicates a designed capacity of 1440 mAh, but the fuel gauge reports 1430 mAh. The 5S battery reports 1550 mAh, but is labeled 1560 mAh. The 5C reports 1500 mAh, but is labeled 1510 mAh.

The iPhone 6 and 6 Plus use a special firmware that is identified in TI’s battery software (except the very latest releases where such data was removed), and it has a very extensive feature set, and a lot of data logging features.

The iPhone 6S/6S Plus use a firmware version similar to the iPhone 6/6 Plus, but with a newer chip and some features trimmed out. I’m reasonably confident that the chip is an sn27546-A5 but have no idea if it’s the official part designator.

The iPhone SE battery seems to have a unique custom chip, but has gone back to a DFN-based package (similar to bq27541) rather than a BGA like the bq27545/546. It is marked “A1141” and does not respond to my HDQ adapter, only the official TI EV2300/EV2400. I have only one in my possession, so I am not 100% sure whether this is true for this series of batteries.